WO2018224571A1 - Collecting device, mobile device program product, and method for a security analysis of a computing system - Google Patents

Collecting device, mobile device program product, and method for a security analysis of a computing system Download PDF

Info

Publication number
WO2018224571A1
WO2018224571A1 PCT/EP2018/064940 EP2018064940W WO2018224571A1 WO 2018224571 A1 WO2018224571 A1 WO 2018224571A1 EP 2018064940 W EP2018064940 W EP 2018064940W WO 2018224571 A1 WO2018224571 A1 WO 2018224571A1
Authority
WO
WIPO (PCT)
Prior art keywords
computing system
collecting device
mobile device
security analysis
communication means
Prior art date
Application number
PCT/EP2018/064940
Other languages
French (fr)
Inventor
Vito Rallo
Original Assignee
Pwc Enterprise Advisory Cvba
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Pwc Enterprise Advisory Cvba filed Critical Pwc Enterprise Advisory Cvba
Publication of WO2018224571A1 publication Critical patent/WO2018224571A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2153Using hardware token as a secondary aspect

Definitions

  • the current invention concerns a collecting device for gathering security analysis data from a computing system.
  • the collecting device comprises a communication means for transmitting said security analysis data to a mobile device.
  • the current invention concerns a mobile device program product for processing the security analysis data and presenting related information on a display of the mobile device, and a method for performing a security analysis of the computing system.
  • Computer security is the protection of computer systems from the theft or damage to the software or information on them, as well as from disruption or misdirection of the services they provide. Harm may come from various sources such as, for example, unintended misuse, backdoor methods, viruses, worms, trojan horses, keyloggers, and covert listening devices.
  • Computer security analysis may be performed by executing software or by human intervention.
  • the former most often requires the installation of security analysis software on the computing system to be analyzed, and requires connectivity of the computing system to an external service for obtaining information regarding newly discovered threats.
  • Human intervention on the other hand, requires specialist training and can therefore be very costly.
  • US 9,654,496 discloses a device which may detect a suspicious activity. The device may automatically obtain a suspect object from a client device that is associated with the suspicious activity and based on detecting the suspicious activity. The suspect object may be an object that is possibly associated with the suspicious activity. The device may determine that the suspect object is malicious. The device may perform an action based on determining that the suspect object is malicious.
  • US 9,654,496 however is inflexible in its use and.
  • US 8,793,795 discloses a computer forensic accelerator engine designed to speed up the forensic analysis process is disclosed. It is a device for use with an analysis device to analyze data on a suspect computer device, and includes a first interface for connecting to the suspect computer device, a second interface for connecting to the analysis device, and a processing unit programmed to read data from the suspect device via the first interface, perform analysis on the data, transmit the data to the analysis device via the second interface, and transmit results of the analysis to the analysis device via the second interface.
  • US 8,793,795 lacks many of the provisions needed for flexible usage, and furthermore is overly complex.
  • US 2012/0324067 discloses a managed Universal Serial Bus (USB) service capability configured to use a mobile computing device (e.g., a smartphone or other suitable mobile computing device) to support a set of services for a computer (e.g., a desktop, a laptop, and the like) capable of connecting to the mobile computing device via a USB connection.
  • the managed USB service capability enables local and/or remote control of the mobile computing device to operate in various USB device classes, such that the mobile computing device can provide various managed USB services for the computer via the peripheral connection.
  • the mobile computing device may be dynamically configured to operate as one or more of a network interface, a virtual private network (VPN) client, a smart card, a serial console, a mass-storage device, a booting device, and the like.
  • VPN virtual private network
  • US 2012/0324067 does not disclose the use of the USB service capability for security analysis. However, if USB service capability would be used for this end, security analysis software would run from the mobile computing device. The latter can therefore not be disconnected or removed during collection of security analysis data from the user computing system. The mobile computing device can then also not be used to full capacity, as part of its resources are reserved for the security analysis software.
  • US 2014/0115487 discloses an intermediary interface system for remote servicing of a computer in a local customer system by a remote representative system even if the local customer system does not have a network connection to the remote representative system.
  • the intermediary interface system includes a smartphone and a dongle. The dongle interfaces video output and keyboard and mouse inputs of the local customer system with the smartphone.
  • the smartphone wirelessly interfaces the dongle with the remote representative system.
  • the representative system displays the video signal from the local customer system for analysis and sends keyboard and mouse signals to the local customer system in response without requiring a network connection between the local customer system and the remote representative system.
  • the method disclosed in US 2014/0115487 relies on the intermediary interface system to service the local customer system via the remote representative system. The transmission of a large amount of data to and/or from the remote representative system, may render the analysis or service slow, costly, or even impossible to perform.
  • the connection relies on the smartphone which wirelessly interfaces the dongle with the remote representative system, the smartphone cannot be disconnected or removed during analysis or servicing. The smartphone can then also not be used to full capacity, as part of its resources are reserved for the wireless interface between the dongle and the remote representative system.
  • the present invention aims to resolve at least some of the problems mentioned above.
  • the present invention provides a collecting device for a security analysis of a computing system, as disclosed in claim 1.
  • the present invention provides a mobile device program product for a security analysis of a computing system, as disclosed in claim 17.
  • the present invention provides a method for a security analysis of a computing system, as disclosed in claim 21.
  • the present invention provides a use according to claim 25.
  • the advantage of the present invention lies in the flexible and orthogonal addressing of the collecting device or "target”, which provides for flexibility and user friendliness, combined with generic, interference-free and single-access-point reporting of security analysis data.
  • the flexibility lies in the fact that the security analysis data is sent to a mobile device.
  • the user may be provided with the security analysis data via a mobile device such as a smartphone, laptop or tablet, which is much more familiar to most users than a separate security device, and therefor preferred by the user as means of interaction.
  • the invention teaches to provide a collecting device acting as middleman between the computing system and the mobile device, rather than attempting to let the mobile device interact with the computing system directly. Such a direct interaction is problematic for several reasons.
  • the invention provides for a generic approach that allows circumventing installing drivers or configuring parameters on the computing system, while being operable also with regular mobile devices that are not jailbroken or rooted.
  • a collecting device according to the present invention, according to a preferred embodiment, it is relatively easy to provide a security analysis app on the mobile device that meets all security requirements, using a predefined and popular protocol stack such as Bluetooth which comes with the operating system of the mobile device to communicate with the predefined and hence predictable second communication means present in the collecting device.
  • the collection device uses a first communication means different from the second communication means for interacting with the computing system, whereby the first communication means may be chosen so as to enhance generic addressing of a wide variety of computing systems, e.g. by complying with HID device requirements, thereby circumventing installing drivers and/or configuring parameters on the computing system.
  • using the mobile device together with the collecting device instead of letting the mobile device interact directly with the computing system, may provide for further advantages. Particularly, it allows taking into account the limited power/battery resources of the mobile device, by flexibly offloading the power- consuming task of gathering the security analysis to the collecting device, which need not be mobile with respect to the computing system and preferably is connected to the computing system with a wired connection. Also, this flexible set-up is provided such that a single point of access toward the computing system is provided. It is well known that computing systems may be protected against external access to internal security- related information.
  • a single access point provided by the collecting device which acts as middleman in the chain between the computing system and the mobile device, allows for maximal robustness toward safety measured present in the computing system.
  • the chain between the computing system, the collecting device and the mobile device is such that the communication means/technology between the computing system and the collecting device differs from that between the collecting device and the mobile device.
  • Such an orthogonal approach mitigates the chance of interference, and moreover allows a "double blind" connection approach with respect to security analysis, whereby the mobile device may or may not be computer-system- agnostic and vice-versa.
  • This is particularly advantageous where some level of privacy and/or anonymization is desirable (see e.g. "fast scan mode" as described in this document) avoiding the computing system and the mobile device to identify each other e.g. on the same Ethernet or the same Wi-Fi network, which may lead to a undesirable trace of said security analysis.
  • US 9,654,496 discloses a device comprising a communication interface but lacks any disclosure with respect to the use of said communication interface for sending security analysis data to a further device.
  • US 9,654,496 does not disclose said further device being a mobile device, and hence does not enable the user-friendliness provided by the present invention.
  • US 9,654,496 does not disclose said second communication means being different from said first communication means, and hence does not allow for said interference-free and/or "double blind” and/or orthogonal operation.
  • the invention furthermore differs significantly from the computer forensic tool according to US 8,793,795.
  • US 8,793,795 being aimed at the different aim of speeding up the forensic analysis process, all connections are assumed wired, and no second communication means being different from a first communication means is disclosed.
  • no use of a mobile device is disclosed.
  • Figure 1 shows a schematic overview of devices and communication channels which can be used in a preferred embodiment of the present invention.
  • FIG. 2 shows a block diagram of a preferred embodiment of the method of the present invention. Detailed description of the invention
  • the present invention concerns a collecting device, a mobile device program product, and a method for a security analysis of a computing system.
  • first device is an umbrella term referring to a first class of devices including the “collecting device”.
  • second device is an umbrella term referring to a second class of devices including the “mobile device”.
  • Mobile device refers to any portable computing device. Examples of mobile devices include a smartphone, a smartwatch, a laptop computer, a tablet computer, other portable handheld devices, and the like.
  • a compartment refers to one or more than one compartment.
  • Communication comprises any analog or digital data communication between computing devices. Communication can be wired or wireless. Communication is not limited by the used protocol.
  • a non-limiting list of examples of communication technologies comprises 2G, 3G, 3G+, 3GPP, 4G, 4G+, 5G, 6LowPAN, Bluetooth, Bluetooth 4.0, Bluetooth 4.1, Bluetooth 4.2, Bluetooth 5, Bluetooth Low-Energy, CDMA, CDMA2000, Cellular, Dash7, EDGE, EDGE Evolution, Ethernet, EV-DO, Flash-OFDM, GPRS, GSM, HIPERMAN, HSPA, iBurst, IEEE 802.11a, IEEE 802.11ac, IEEE 802.11b, IEEE 802.
  • USB Universal Serial Bus
  • the standard defines interrelated USB ports and USB connectors.
  • a non-limiting list of examples of USB standards comprises the USB 2.0, USB 3.0, and USB 3.1 standards.
  • a non-limiting list of examples of USB formats comprises the standard, mini, and micro formats.
  • Bluetooth refers to a wireless technology standard for exchanging data over short distances. Bluetooth may or may not require the pairing of devices before communication can be established between the devices. Insofar pairing is required in a particular Bluetooth standard used in a particular embodiment of the present invention, it is implicitly assumed that such pairing is performed between the devices to enable the communication.
  • Wi-Fi refers to any wireless local area network product based on the Institute of Electrical and Electronics Engineers' 802.11 standards. Wi-Fi can be used to establish connection of a device with the internet, a local area network such as a campus-wide network, or with another device.
  • Wireless mobile telecommunications technology refers to any communication standard for establishing mobile internet access. Examples of wireless mobile telecommunications technology include the third generation (3G), the fourth generation (4G), and the fifth generation (5G).
  • User input device refers to a device for providing input by a user to a computing device.
  • the input is not limited by modality and can encompass mechanical movement, sound, images, and the like.
  • the input can be discrete and/or continuous.
  • the input is also not limited by the number of degrees of freedom.
  • the input can be direct or indirect.
  • the input can be absolute or relative.
  • a non-limiting list of examples of user input devices comprises a keyboard, a computer mouse, a touchpad, a touchscreen, a camera, a scanner, a joystick, a microphone, a light pen, a trackball, a projected keyboard, a game controller, a card reader, and the like.
  • the present invention provides a collecting device for a security analysis of a computing system.
  • the collecting device comprises a first communication means suitable for communicating with the computing system, a second communication means, which may be equal but is preferably distinct from the first communication means, the second communication means suitable for communicating with a mobile device, and a non-transitory storage medium.
  • the non-transitory storage medium comprises computer executable instructions intended for generating security analysis data.
  • the collecting device is configured to, upon establishing communication with the computing system via the first communication means, load the computer executable instructions from the non-transitory storage medium to execute the computer executable instructions, gather security analysis data from the computing system, and send the security analysis data to a mobile device via the second communication means.
  • any or any combination of steps performed by the collecting device is either performed triggered by the mobile device or while reporting to the mobile device by sending data to it.
  • Such advantage is not offered by US 9,654,496. It provides a user of said computing system with control over the collecting device and the actions performed by said collecting device. Such control is not provided by US 9,654,496, leading to problematic situations for instance in cases where the computing system is uncooperative and/or commandeered. In such cases, according to US 9,654,496, the user of the computing system must take control of the security device itself to gain control over the actions performed, which may be undesirable and/or infeasible.
  • the security device being a single entity leads to the practical problem of having to be available and connected to the computing device throughout the entire operation of generating security analysis data.
  • the security device is advantageously split up in a collecting device and a mobile device, wherein control-related functionality is implemented in the mobile device, whereas the actual functions required for performing the task at hand are implemented in the collecting device.
  • the present invention provides the user of the computing device with a remote control over the actions performed by the security device, wherein the remote control is preferably implemented as an app running on the smartphone of the user.
  • the invention provides a solution wherein the user is "in the driving seat", deciding on whether or not a security analysis is needed, and moreover being the one who receives the result of such analysis.
  • this may concern privileged access to this information, wherein only the user may be aware of the result of the security analysis, or, more preferably, only the user is aware of the security analysis being performed.
  • the solution provided by the invention lowers the threshold for users to start a security analysis.
  • said step of loading of said computer executable instructions and said executing is triggered by a user-selected instruction from said mobile device via said second communication means, wherein preferably said user of said mobile device is also a user of said computing system.
  • said collecting device is a dongle, wherein preferably a largest dimension of said collecting device is not larger than 150 mm, more preferably wherein an outer surface of said collecting device is contained entirely in a volume of dimensions 150 mm x 50 mm x 50 mm.
  • a dongle is convenient, is easy to carry around together with the mobile device, and allows an easy fit for any computing system to be analyzed, also if the computing system is located in a narrow space. This leads to a usage of the collecting device fundamentally different from that of a device according to US 9,654,496, which does not allow the collecting device to be carried around by the user.
  • said security analysis data is not stored on either of said computing system and said collecting device; preferably not stored on any of said computing system, said collecting device, and said mobile device.
  • Such an embodiment may or may not relate to fast scan mode. It advantageously provides for more control for the user, whereby the user may perform a diagnosis by himself without fearing leak of security data or other data via any of the computing system and the collecting device and/or the mobile device. This lowers the threshold for executing the security analysis, leading to an incentive for performing security checks more frequently, leading to overall increased security.
  • said computer executable instructions comprise a plurality of self-analysis instructions, said self-analysis instructions preferably being scripting language instructions, for execution by said step computing system for performing said security analysis as a self-analysis, and said step of gathering security analysis data from the computing system comprises, preferably consists of, the sub- steps of:
  • the computer executable instruction hence comprise both instructions for the collecting device to execute, on the one hand, and self-analysis instructions to be transferred to said computing system, on the other hand.
  • the computer executable instructions may relate to establishing communication between the collecting device, preferably a dongle, and the computing system.
  • the computer executable instructions may relate to opening a self-analysis-instruction- receptive application, preferably a security-related application and or diagnostic application and/or task automation framework and/or configuration management framework and/or command-line shell application on the computing system, such as PowerShell for Microsoft, Linux or OS X.
  • Such a self-analysis-instruction-receptive application may then receive the plurality of self-analysis instructions from the collecting device and may perform the security analysis by executing these self-analysis instructions.
  • the major advantage hereof is that the tasks performed by the collecting device are limited to mere handing over of instructions, rather than performing these tasks, which may be intrusive and may involve security-related information, which may trigger some security mechanism and/or threat detection mechanism present in the computing system and may block further activity of the collecting device.
  • this embodiment advantageously provides means to avoid the computing system from being "alarmed" by the collecting device activity, by delegating the actual security analysis to the computing device in a transparent way, based on self-analysis instructions.
  • said plurality of self-analysis instructions relates to human-interpretable instructions, preferably scripting language instructions and/or source code instructions
  • said computing device comprises a display
  • said step of transferring said plurality of self-analysis instructions by said collecting device to said computing system comprises transferring a visualization-related instruction intended for said computing system for requiring said computing system to display at least one of said plurality of self-analysis instructions during and/or after said execution of said plurality of self-analysis instructions, preferably for requiring said computing system to display said plurality of self-analysis instructions as they are being executed by said computing system in real-time.
  • said first communication means relates to a HID-protocol- based communication wherein said computer system acts as host and wherein said collecting device emulates a HID device, said collecting device preferably emulating an HID keyboard or an HID joystick.
  • said collecting device emulates a HID device, said collecting device preferably emulating an HID keyboard or an HID joystick.
  • this embodiment is advantageous in that the choice of communication based on HID is particularly suitable for the aim of the present invention, since HID devices usually do not trigger the many security mechanisms present in typical computing systems. Hence, by choosing HID, it is prevented that a security mechanism of the computing system labels the collecting device as suspicious and/or blocks the security analysis.
  • said first communication means relates to a HID- protocol-based communication wherein said computer system acts as host and wherein said collecting device emulates a HID device, said collecting device preferably emulating an HID keyboard or an HID joystick; wherein said transferring of said plurality of self- analysis instructions relates to transferring a sequence of HID instructions representing said plurality of self-analysis instructions from said collecting device to said computing system, and wherein said receiving of said self-analysis by said collecting device relates to receiving one or more HID instructions representing said self-analysis.
  • the collecting device may be equivalent to a "virtual security expert" that is "typing" the instruction into the computing system.
  • the first communication means complies with any or any combination of the following : USB HID, Bluetooth HID, Serial HID remote control receiver, ZigBee HID, HID over I 2 C, HID over GATT.
  • the collecting device may comprise a processor, e.g. a cisc processor, a rise processor, microprocessor or microcontroller.
  • a processor e.g. a cisc processor, a rise processor, microprocessor or microcontroller.
  • the collecting device is further configured to:
  • the mobile device upon establishing communication with the mobile device over the second communication means, let the mobile device download updated computer executable instructions from a remote server preferably taking into account said determined hardware and operating system specification, said downloading preferably via a further communication means different from said first and said second communication means,
  • this is advantageous in that it allows to perform the security analysis based on up-to- date information.
  • the communication means needed to connect with the remote server are not sought in the computing system, which would be inappropriate particularly in cases where the system might be compromised and hence preferably is not connected to any network or any device other than said collecting device. Rather, these communication means are provided by the mobile device.
  • the hardware and operating system specification is determined in a first step, this furthermore leads to performing the security analysis according to a computer executable instructions that are tailored to the given computing system, which may contribute to a more reliable security analysis.
  • the first communication means is a wired communication means able to provide power to the collecting device upon establishing communication with the computing system.
  • the first communication means is a Universal Serial Bus (USB) connector. This USB connector can be of any USB standard and of any USB format.
  • the second communication means is a wireless communication means. This is advantageous when the collecting device is attached to the computing device at a location which is difficult to reach.
  • the second communication means is a Bluetooth communications module.
  • the present invention provides a mobile device program product for a security analysis of a computing system.
  • the mobile device program product comprises a plurality of mobile device executable instructions for execution on a mobile device.
  • the mobile device comprises a processor for executing the mobile device executable instructions, a display, a user input device to select an option presented on the display, and a third communication means suitable for communicating with the second communication means of the collecting device according to the first aspect of the present invention.
  • the mobile device program product comprises instructions to receive security analysis data from the collecting device via the third communication means, process the received security analysis data resulting in a first diagnosis, and present information related to the first diagnosis on the display of the mobile device.
  • the third communications means of the mobile device is a wireless communication means.
  • the third communication means is a Bluetooth communications module.
  • the present invention provides a method for a security analysis of a computing system.
  • the method requires a collecting device and a mobile device.
  • the method comprises the steps of: - enabling communication between the collecting device and the computing system,
  • the security analysis data is an intermediate form of data composed of any information which can be retrieved on the computing system.
  • the security analysis data is then subsequently processed to the first diagnosis.
  • the security analysis data may be any data in the spectrum between the information which can be directly retrieved on the computing system and the first diagnosis.
  • the security analysis data may therefore comprise one or more of the following list:
  • the collecting device comprises a full scan operation mode and a fast scan operation mode.
  • the security analysis data comprises raw data retrievable on the computing system and/or a processed form of intermediary data.
  • the security analysis data comprises the first diagnosis.
  • the collecting device comprises computer executable instructions for generating security analysis data about the computing system and also gathers this data.
  • the mobile device does not need to be present near the collecting device or computing system.
  • the mobile device should also not be in communication with the collecting device. Resources of the mobile device such as processor time or memory are not used during this operation.
  • the mobile device can be carried away to another location and can, without restriction of the mentioned resources, be used for other functionalities such as searching for information on the internet or making a phone call, for example. Only when the gathered data is transmitted from the collecting device to the mobile device for processing, the mobile device should be in communication with the collecting device to enable the transmission. Subsequently, during processing of the security analysis data resulting in the first diagnosis, the mobile device can again be distanced from the collecting device or computing system.
  • Collecting devices which comprise a USB connector and a Bluetooth communications module, are known in the art as dongles.
  • the collecting device we refer to the collecting device as a dongle, the first communication means as a USB connector, the second communication means as a Bluetooth communication module, and the third communication means as a Bluetooth communication module.
  • the first communication means we refer to the collecting device as a dongle, the first communication means as a USB connector, the second communication means as a Bluetooth communication module, and the third communication means as a Bluetooth communication module.
  • these terms are only used to indicate a preferred embodiment of the present invention, and should not be interpreted as limiting.
  • a dongle may refer to any collecting device according to the first aspect of the present invention
  • USB connector and/or USB port may refer to any communication means suitable for communication between the computing system and the collecting device
  • Bluetooth communication module may refer to any communication means suitable for communication between the collecting device and the mobile device.
  • FIG. 1 shows a schematic overview of the devices (1, 3, 4, 5) and wireless communication channels (7, 8, 9, 10) which can be used in a preferred embodiment of the present invention.
  • a security analysis of a computing system (1) comprising one or more USB ports (2) is desired.
  • a dongle (3) is provided.
  • the dongle (3) comprises a USB connector for connection (6) in a USB port (2) of the computing system (1).
  • the dongle (3) receives power from the computing system (1).
  • the dongle (3) further comprises a Bluetooth communications module for communicating (7, 8) with a mobile device (4).
  • the dongle (3) also comprises a non- transitory storage medium comprising computer executable instructions for generating security analysis data about the computing system (1). After loading and executing the computer executable instructions, the security analysis data is gathered on the dongle (3) and transmitted (8) to the mobile device (4) via the Bluetooth communications module of the dongle (3).
  • the mobile device (4) may comprise a non-transitory storage medium for storing a mobile device program product.
  • the mobile device program product comprises a plurality of mobile device executable instructions.
  • the mobile device (4) further comprises a processor suitable for executing the mobile device executable instructions, a display, a user input device to select an option presented on the display, and a Bluetooth communications module.
  • the mobile device program product comprises instructions to receive (8) the security analysis data from the dongle (3) via the Bluetooth communications module of the mobile device (4), process the received security analysis data resulting in a first diagnosis, and present information related to the first diagnosis on the display of the mobile device (4).
  • the dongle (3) comprises computer executable instructions for generating security analysis data about the computing system (1) and also gathers this data.
  • the mobile device (4) does not need to be present near the dongle (3) or the computing system (1).
  • the mobile device (4) should also not be in communication (7, 8) with the dongle.
  • Resources of the mobile device (4) such as processor capability or memory are not used during this operation.
  • the mobile device (4) can be carried away to another location and can, without restriction of the mentioned resources, be used for other functionalities such as searching for information on the internet or making a phone call, for example. Only when the gathered security analysis data is transmitted (8) from the dongle (3) to the mobile device (4) for processing, the mobile device (4) should be present near the dongle (3) to enable the transmission.
  • the mobile device program product further comprises mobile device executable instructions for presenting a starting option on the display of the mobile device (4).
  • a starting signal is transmitted (7) from the mobile device (4) to the dongle (3).
  • the reception of the starting signal with the Bluetooth communication module of the dongle (3) then triggers the loading of computer executable instructions from the non-transitory storage medium of the dongle (3) and their execution for obtaining the security analysis data.
  • the dongle (3) further comprises a processor, and the computer executable instructions are executed on the processor of the dongle (3) in order to emulate one or more user input devices for obtaining the desired security analysis data.
  • the computing system (1) comprises a processor and the computer executable instructions are loaded from the non-transitory storage medium of the dongle (3) and executed by the processor of the computing system (1).
  • the dongle (3) comprises a first processor and the computing system (1) comprises a second processor, and a part of the computer executable instructions are executed by the first processor and a part of the computer executable instructions are executed by the second processor.
  • the mobile device (4) further comprises a Wi-Fi module and/or a wireless mobile telecommunications technology module suitable for communicating (9, 10) with a remote server (5).
  • the mobile device program product comprises in this embodiment instructions to send (9) the security analysis data from the mobile device (4) to the remote server (5). On the remote server (5), the security analysis data is then processed resulting in a second diagnosis. Subsequently, the second diagnosis is sent (10) from the remote server (5) to the mobile device (4).
  • the mobile device program product comprises instructions to receive the second diagnosis. It also comprises instructions to present information related to the second diagnosis on the display of the mobile device (4) upon reception.
  • This remote server (5) can, for example, also comprise a database comprising a large amount of information for performing a more detailed security analysis, the large amount of information for performing a more detailed security analysis not suitable for storage on the non-transitory storage medium of the mobile device (4).
  • the mobile device program product further comprises instructions for selecting one or more redress options from a redress option list based on the first and/or second diagnosis.
  • the redress option list may include an update option for performing a software update on the computing system.
  • the redress option list may also include a second opinion option if only a first diagnosis has been formed.
  • the redress option list may further include a transmission option for sending redress information related to the security analysis data, which may fully or partially comprise the security analysis data, to a third-party service.
  • the third-party service may be able to provide a human interpretation of the redress information.
  • the third-party service may also be able to provide a third diagnosis based on a computer- implemented method for processing the redress information.
  • the redress option list may further include a contact option for contacting a specialist service.
  • the contact may be established via telephone.
  • the contact may also be established by autofill and submission of an online form of the specialist service by the mobile device program product.
  • a stop option may also be presented, for example if no security breach of the computing system was detected.
  • the mobile device program product may also comprise instructions to present the selected redress options on the display of the mobile device (4) as well as instructions to trigger a presented redress option upon selection of the presented option with the user input device of the mobile device (4).
  • the dongle (3) is configured to store the gathered security analysis data on its non-transitory storage medium, to fully or partially load the security analysis data upon reception of a transmission request from the mobile device (4), and to send the loaded full or partial security analysis data to the mobile device (4).
  • the dongle (3) is able to determine a hardware and operating system specification of the computing system (1), and to send (8) the determined hardware and operating system specification to the mobile device (4).
  • the determined hardware and operating system specification can be part of the security analysis data. It can also be transmitted separately from the security analysis data.
  • a hardware and operating system specification may include important information for performing a security analysis. It may also be important to assess whether the non-transitory storage medium of the dongle (3) comprises computer executable instructions suitable for the computing system (1) under investigation. It may also be important to suggest and provide adequate software updates for the computing system via the redress options.
  • the dongle (3) may be able to receive updated computer executable instructions from the mobile device (4) and to store the updated computer executable instructions on the non-transitory storage medium.
  • the mobile device program product then comprises instructions to send (7) the updated computer executable instructions from the mobile device (4) to the dongle (3) via their respective Bluetooth communication modules.
  • the mobile device program product may further include instructions to download the updated computer executable instructions from a second remote server.
  • the mobile device program product may also obtain (10) the updated computer executable instructions from the remote server (5) suitable for generating the second diagnosis.
  • the invention relates to following points 1-15.
  • a second communication means which may be equal to or distinct from the first communication means, suitable for communicating with a mobile device
  • non-transitory storage medium comprising computer executable instructions for generating security analysis data
  • the collecting device is configured to, upon establishing communication with the computing system via the first communication means:
  • Collecting device - gather security analysis data from the computing system, and - send the security analysis data to the mobile device via the second communication means.
  • Collecting device according to point 1, whereby the first communication means is a Universal Serial Bus connector and whereby the second communication means is a Bluetooth communications module.
  • Collecting device according to any one of points 1 and 2, whereby the collecting device comprises a processor and whereby the collecting device is configured to emulate one or more user input devices for gathering said security analysis data.
  • Collecting device for a security analysis of a computing system according to any one of points 1 to 3, whereby the collecting device is further configured to, upon establishing communication with the computing system via the first communication means:
  • Collecting device for a security analysis of a computing system according to any one of points 1 to 4, whereby the collecting device is further configured to, upon establishing communication with the computing system via the first communication means:
  • Collecting device for a security analysis of a computing system according to any one of points 1 to 5, whereby the collecting device is further configured to, upon establishing communication with the computing system via the first communication means:
  • Mobile device program product for a security analysis of a computing system, the mobile device program product comprising a plurality of mobile device executable instructions for execution on a mobile device, the mobile device comprising a processor for executing the mobile device executable instructions, a display, a user input device to select an option presented on the display, and a third communication means suitable for communicating with the second communication means of a collecting device according to any one of points 1 to 6, whereby the mobile device program product comprises instructions to:
  • Mobile device program product for a security analysis of a computing system according to any one of points 7 and 8, the mobile device program product comprising instructions to:
  • the redress option list comprises a transmission option for transmitting redress information related to the security analysis data to a third-party service, transmit the redress information to the third-party service, and
  • Mobile device program product for a security analysis of a computing system according to any one of points 7 to 9, the mobile device program product comprising instructions to send updated computer executable instructions intended for the collecting device to the collecting device via the third communication means.
  • Method for a security analysis of a computing system comprising the steps of: presenting one or more selectable redress options based on one or more of the diagnoses on the second device,
  • the one or more selectable redress options comprise a transmission option for transmitting redress information related to the security analysis data to a third-party service, transmitting the redress information to the third-party service upon selection of the transmission option, and if the one or more selectable redress options comprise a contact option for contacting a specialist service, contacting the specialist service upon selection of the contact option.
  • Method for a security analysis of a computing system comprising the steps of:
  • Example 1 A user of a computer suspects a security breach. He requests a dongle according to the present invention from a service company, and downloads the associated application, i.e. the associated mobile device program product according to the present invention, on his smartphone.
  • Figure 2 shows a block diagram of the steps for performing a security analysis of the computer. The user inserts the USB connector of the dongle in a USB port of his computer, the user computing system (201). The dongle receives power from the user computing system and its Bluetooth communications module can then be made visible to other devices. The user opens the application and searches for a dongle associated to the application. The dongle is found and the user establishes communication between his smartphone and the dongle (202).
  • the user further selects the start option for a full scan on the touchscreen of his smartphone which triggers the sending of a start signal from the mobile device to the dongle (203).
  • the computer executable instructions are loaded from the non-transitory storage medium of the dongle, executed on the processor of the dongle which emulates one or more user input devices in order to retrieve the desired security analysis data, and the security analysis data is stored on the non-transitory storage medium of the dongle (204).
  • step (204) the user gets out of his office to make a phone call with his smartphone. A while later, the user returns to the computing system, detects the dongle, and selects the option to transmit the security analysis data from the dongle to the mobile device (205).
  • the security analysis data is processed by the application resulting in a first diagnosis regarding security breaches (206).
  • Information related to the first diagnosis is presented on the touchscreen of the smartphone (207). This information indicates that a security breach is likely.
  • a second diagnosis is proposed (208).
  • the user selects the corresponding option on the touchscreen of his smartphone, and the mobile device establishes communication with an analysis computing system (209), i.e. the remote server (5), via Wi-Fi.
  • the security analysis data is sent from the smartphone to the analysis computing system (210), where it is processed resulting in a second diagnosis (211).
  • This second diagnosis is sent to the mobile device (212) and presented on the touchscreen of the smartphone (207).
  • a security breach has been detected.
  • the application presents an option to call a specialist (208). The user selects this option, a telephone call to the specialist is triggered (213), and the user makes an appointment to get his computing system fixed.
  • a dongle such as, for example, the one described in the first example, may be configured for working in a full scan operation mode or a fast scan operation mode.
  • the application mobile device program product
  • the full scan operation mode may require the reception of a key from the provider of the dongle and/or the acceptance by the user of an agreement and/or the payment of a fee by the user to the provider of the dongle.
  • the security analysis data comprises the first diagnosis.
  • the first diagnosis preferably comprises a threat level indication. This may be a discrete threat level indication such as 'yes', 'maybe', or 'no' or a continuous threat level indication such as a percentage value.
  • no security analysis data is stored on the dongle in the fast scan operation mode.
  • said threat level indication is the security analysis data which is communicated from the dongle to the mobile device.
  • a dongle (collecting device), such as, for example, the one described in the first and second example, may be configured for working in a fast scan operation mode.
  • the dongle is connected to the computing system by means of a USB connector.
  • the dongle is powered by the computing system and emulates an HID keyboard.
  • the dongle is recognized by the computing system and is directly operable, without the need to install drivers, because the operating system present on the computing system supports HID keyboards by default.
  • the user uses a security analysis application on his/her smartphone to connect to the dongle via Bluetooth. The user instructs to start the security analysis. This leads to a signal being sent to the dongle, causing the dongle to initiate the gathering of security analysis data.
  • the dongle sends an instruction to the computing system to open a PowerShell. This opens a PowerShell window on the computing system, which is visible for the user.
  • the dongle sends self-analysis instructions to the computing device via the HID interface in the form of keystrokes, which are executed one by one by the computing system while being visible for the user in the PowerShell.
  • the execution of all self-analysis instructions leads a security variable on the computing system to be set to 0, indicating that no security problem is detected.
  • This value is transferred via the HID interface to the dongle as a modulation of the "caps lock on" field (and/or "shift lock on” field).
  • the dongle sends the security variable value of zero to the smartphone via Bluetooth. An indication that no security problem is detected is displayed on the screen of the smartphone.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephone Function (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The current invention concerns a collecting device for gathering security analysis data from a computing system. The collecting device comprises a communication means for transmitting said security analysis data to a mobile device. In further aspects, the current invention concerns a mobile device program product for processing the security analysis data and presenting related information on a display of the mobile device, a method for performing a security analysis of the computing system, and a use.

Description

COLLECTING DEVICE, MOBILE DEVICE PROGRAM PRODUCT, AND METHOD FOR A SECURITY ANALYSIS OF A COMPUTING SYSTEM
Technical field
The current invention concerns a collecting device for gathering security analysis data from a computing system. The collecting device comprises a communication means for transmitting said security analysis data to a mobile device. In further aspects, the current invention concerns a mobile device program product for processing the security analysis data and presenting related information on a display of the mobile device, and a method for performing a security analysis of the computing system. Background
Computer security is the protection of computer systems from the theft or damage to the software or information on them, as well as from disruption or misdirection of the services they provide. Harm may come from various sources such as, for example, unintended misuse, backdoor methods, viruses, worms, trojan horses, keyloggers, and covert listening devices.
Computer security analysis may be performed by executing software or by human intervention. The former most often requires the installation of security analysis software on the computing system to be analyzed, and requires connectivity of the computing system to an external service for obtaining information regarding newly discovered threats. However, if the computing system is not by itself enabled to obtain information regarding newly discovered threats, or if installation of security analysis software on the computing system is not possible, analysis cannot be adequately performed. Human intervention, on the other hand, requires specialist training and can therefore be very costly. US 9,654,496 discloses a device which may detect a suspicious activity. The device may automatically obtain a suspect object from a client device that is associated with the suspicious activity and based on detecting the suspicious activity. The suspect object may be an object that is possibly associated with the suspicious activity. The device may determine that the suspect object is malicious. The device may perform an action based on determining that the suspect object is malicious. US 9,654,496 however is inflexible in its use and.
US 8,793,795 discloses a computer forensic accelerator engine designed to speed up the forensic analysis process is disclosed. It is a device for use with an analysis device to analyze data on a suspect computer device, and includes a first interface for connecting to the suspect computer device, a second interface for connecting to the analysis device, and a processing unit programmed to read data from the suspect device via the first interface, perform analysis on the data, transmit the data to the analysis device via the second interface, and transmit results of the analysis to the analysis device via the second interface. In view of its aim of speeding up forensic analysis, US 8,793,795 lacks many of the provisions needed for flexible usage, and furthermore is overly complex.
US 2012/0324067 discloses a managed Universal Serial Bus (USB) service capability configured to use a mobile computing device (e.g., a smartphone or other suitable mobile computing device) to support a set of services for a computer (e.g., a desktop, a laptop, and the like) capable of connecting to the mobile computing device via a USB connection. The managed USB service capability enables local and/or remote control of the mobile computing device to operate in various USB device classes, such that the mobile computing device can provide various managed USB services for the computer via the peripheral connection. In this manner, the mobile computing device may be dynamically configured to operate as one or more of a network interface, a virtual private network (VPN) client, a smart card, a serial console, a mass-storage device, a booting device, and the like.
US 2012/0324067 does not disclose the use of the USB service capability for security analysis. However, if USB service capability would be used for this end, security analysis software would run from the mobile computing device. The latter can therefore not be disconnected or removed during collection of security analysis data from the user computing system. The mobile computing device can then also not be used to full capacity, as part of its resources are reserved for the security analysis software. US 2014/0115487 discloses an intermediary interface system for remote servicing of a computer in a local customer system by a remote representative system even if the local customer system does not have a network connection to the remote representative system. The intermediary interface system includes a smartphone and a dongle. The dongle interfaces video output and keyboard and mouse inputs of the local customer system with the smartphone. The smartphone wirelessly interfaces the dongle with the remote representative system. Thus, the representative system displays the video signal from the local customer system for analysis and sends keyboard and mouse signals to the local customer system in response without requiring a network connection between the local customer system and the remote representative system. The method disclosed in US 2014/0115487 relies on the intermediary interface system to service the local customer system via the remote representative system. The transmission of a large amount of data to and/or from the remote representative system, may render the analysis or service slow, costly, or even impossible to perform. In addition, as the connection relies on the smartphone which wirelessly interfaces the dongle with the remote representative system, the smartphone cannot be disconnected or removed during analysis or servicing. The smartphone can then also not be used to full capacity, as part of its resources are reserved for the wireless interface between the dongle and the remote representative system.
The present invention aims to resolve at least some of the problems mentioned above.
Summary of the invention In a first aspect, the present invention provides a collecting device for a security analysis of a computing system, as disclosed in claim 1.
In a second aspect, the present invention provides a mobile device program product for a security analysis of a computing system, as disclosed in claim 17.
In a third aspect, the present invention provides a method for a security analysis of a computing system, as disclosed in claim 21.
In a fourth aspect, the present invention provides a use according to claim 25.
The advantage of the present invention lies in the flexible and orthogonal addressing of the collecting device or "target", which provides for flexibility and user friendliness, combined with generic, interference-free and single-access-point reporting of security analysis data. The flexibility lies in the fact that the security analysis data is sent to a mobile device. Hence, the user may be provided with the security analysis data via a mobile device such as a smartphone, laptop or tablet, which is much more familiar to most users than a separate security device, and therefor preferred by the user as means of interaction. Hereby, the invention teaches to provide a collecting device acting as middleman between the computing system and the mobile device, rather than attempting to let the mobile device interact with the computing system directly. Such a direct interaction is problematic for several reasons. First, for generic reporting of security analysis data, it is key to address a broad population of different computing devices in an essentially identical way. Particularly, the applicant has found that it is infeasible or highly unpractical to let the mobile device, preferably provided with a dedicated security analysis app, to communicate directly with the low level hardware of the computing system, particularly in the case of mobile devices running closed-source operating systems. Concretely, letting a mobile device communicate directly with the computing system requires at least installing system-dependent drivers on the computing system and/or requires configuring parameters relating to trust or explicit exchange on the computing system, such as explicit identification of the mobile device on the computing system. This may be partially circumvented by using a "rooted" or "jailbroken" mobile device, but this is not acceptable for most users. By introducing a collecting device between the computing system and the mobile device, the invention provides for a generic approach that allows circumventing installing drivers or configuring parameters on the computing system, while being operable also with regular mobile devices that are not jailbroken or rooted. By using a collecting device according to the present invention, according to a preferred embodiment, it is relatively easy to provide a security analysis app on the mobile device that meets all security requirements, using a predefined and popular protocol stack such as Bluetooth which comes with the operating system of the mobile device to communicate with the predefined and hence predictable second communication means present in the collecting device. The collection device, on the other hand, uses a first communication means different from the second communication means for interacting with the computing system, whereby the first communication means may be chosen so as to enhance generic addressing of a wide variety of computing systems, e.g. by complying with HID device requirements, thereby circumventing installing drivers and/or configuring parameters on the computing system.
Furthermore, it is to be noted that using the mobile device together with the collecting device, instead of letting the mobile device interact directly with the computing system, may provide for further advantages. Particularly, it allows taking into account the limited power/battery resources of the mobile device, by flexibly offloading the power- consuming task of gathering the security analysis to the collecting device, which need not be mobile with respect to the computing system and preferably is connected to the computing system with a wired connection. Also, this flexible set-up is provided such that a single point of access toward the computing system is provided. It is well known that computing systems may be protected against external access to internal security- related information. Hence, a single access point provided by the collecting device, which acts as middleman in the chain between the computing system and the mobile device, allows for maximal robustness toward safety measured present in the computing system. Finally, the chain between the computing system, the collecting device and the mobile device is such that the communication means/technology between the computing system and the collecting device differs from that between the collecting device and the mobile device. Such an orthogonal approach mitigates the chance of interference, and moreover allows a "double blind" connection approach with respect to security analysis, whereby the mobile device may or may not be computer-system- agnostic and vice-versa. This is particularly advantageous where some level of privacy and/or anonymization is desirable (see e.g. "fast scan mode" as described in this document) avoiding the computing system and the mobile device to identify each other e.g. on the same Ethernet or the same Wi-Fi network, which may lead to a undesirable trace of said security analysis.
The advantageous combination of said collecting device and said mobile device according to the present invention differs significantly from the security device according to US 9,654,496. Particularly, US 9,654,496 discloses a device comprising a communication interface but lacks any disclosure with respect to the use of said communication interface for sending security analysis data to a further device. Moreover, US 9,654,496 does not disclose said further device being a mobile device, and hence does not enable the user-friendliness provided by the present invention. Furthermore, US 9,654,496 does not disclose said second communication means being different from said first communication means, and hence does not allow for said interference-free and/or "double blind" and/or orthogonal operation.
The invention furthermore differs significantly from the computer forensic tool according to US 8,793,795. US 8,793,795 being aimed at the different aim of speeding up the forensic analysis process, all connections are assumed wired, and no second communication means being different from a first communication means is disclosed. Likewise, no use of a mobile device is disclosed.
In the detailed description, the present invention is explained in greater detail. In addition, several preferred embodiments and several related advantages are discussed. Description of figures
Figure 1 shows a schematic overview of devices and communication channels which can be used in a preferred embodiment of the present invention.
Figure 2 shows a block diagram of a preferred embodiment of the method of the present invention. Detailed description of the invention
The present invention concerns a collecting device, a mobile device program product, and a method for a security analysis of a computing system. These three aspects are summarized in the respective section above. In this section, the present invention is explained in greater detail and preferred embodiments and several related advantages are discussed.
Unless otherwise defined, all terms used in disclosing the invention, including technical and scientific terms, have the meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. By means of further guidance, term definitions are included to better appreciate the teaching of the present invention.
In this document, the term "first device" is an umbrella term referring to a first class of devices including the "collecting device". Furthermore, the term "second device" is an umbrella term referring to a second class of devices including the "mobile device". "Mobile device" as used herein refers to any portable computing device. Examples of mobile devices include a smartphone, a smartwatch, a laptop computer, a tablet computer, other portable handheld devices, and the like.
In this document, the terms "computing system" and "target" are used interchangeably.
As used herein, the following terms have the following meanings: "A", "an", and "the" as used herein refers to both singular and plural referents unless the context clearly dictates otherwise. By way of example, "a compartment" refers to one or more than one compartment.
"Comprise", "comprising", and "comprises" and "comprised of" as used herein are synonymous with "include", "including", "includes" or "contain", "containing", "contains" and are inclusive or open-ended terms that specifies the presence of what follows e.g . component and do not exclude or preclude the presence of additional, non-recited components, features, element, members, steps, known in the art or disclosed therein.
"Communication" as used herein comprises any analog or digital data communication between computing devices. Communication can be wired or wireless. Communication is not limited by the used protocol. A non-limiting list of examples of communication technologies comprises 2G, 3G, 3G+, 3GPP, 4G, 4G+, 5G, 6LowPAN, Bluetooth, Bluetooth 4.0, Bluetooth 4.1, Bluetooth 4.2, Bluetooth 5, Bluetooth Low-Energy, CDMA, CDMA2000, Cellular, Dash7, EDGE, EDGE Evolution, Ethernet, EV-DO, Flash-OFDM, GPRS, GSM, HIPERMAN, HSPA, iBurst, IEEE 802.11a, IEEE 802.11ac, IEEE 802.11b, IEEE 802. l lg, IEEE 802.11η, IEEE 802.15.4, IEEE 802.15.4-2006, IEEE 802.16, IEEE 802.16-2009, IEEE 802.16m, IEEE 802.20, Internet, IPv4, IPv6, LAN, LoRaWAN, Low Rate WPAN, LTE, NarrowBand-IoT, Near Field Communication, Neul, RFID, RTT, Sigfox, Thread, UMTS, UMTS W-CDMA, UMTS-TDD, USB, UWB, WAN, Weightless, Wi-Fi, WiMAX, Wireless USB, WLAN, WWAN, ZigBee, and Z-Wave. The abbreviation "USB" as used herein refers to Universal Serial Bus, an industry standard for connection, communication, and power supply between computers and electronic devices. The standard defines interrelated USB ports and USB connectors. A non-limiting list of examples of USB standards comprises the USB 2.0, USB 3.0, and USB 3.1 standards. A non-limiting list of examples of USB formats comprises the standard, mini, and micro formats.
"Bluetooth" as used herein refers to a wireless technology standard for exchanging data over short distances. Bluetooth may or may not require the pairing of devices before communication can be established between the devices. Insofar pairing is required in a particular Bluetooth standard used in a particular embodiment of the present invention, it is implicitly assumed that such pairing is performed between the devices to enable the communication.
"Wi-Fi" as used herein refers to any wireless local area network product based on the Institute of Electrical and Electronics Engineers' 802.11 standards. Wi-Fi can be used to establish connection of a device with the internet, a local area network such as a campus-wide network, or with another device.
"Wireless mobile telecommunications technology" as used herein refers to any communication standard for establishing mobile internet access. Examples of wireless mobile telecommunications technology include the third generation (3G), the fourth generation (4G), and the fifth generation (5G).
"User input device" as used herein refers to a device for providing input by a user to a computing device. The input is not limited by modality and can encompass mechanical movement, sound, images, and the like. The input can be discrete and/or continuous. The input is also not limited by the number of degrees of freedom. The input can be direct or indirect. When input is provided on a position or a position change, e.g. to move a pointer on a screen, the input can be absolute or relative. A non-limiting list of examples of user input devices comprises a keyboard, a computer mouse, a touchpad, a touchscreen, a camera, a scanner, a joystick, a microphone, a light pen, a trackball, a projected keyboard, a game controller, a card reader, and the like. In a first aspect, the present invention provides a collecting device for a security analysis of a computing system. The collecting device comprises a first communication means suitable for communicating with the computing system, a second communication means, which may be equal but is preferably distinct from the first communication means, the second communication means suitable for communicating with a mobile device, and a non-transitory storage medium. The non-transitory storage medium comprises computer executable instructions intended for generating security analysis data. The collecting device is configured to, upon establishing communication with the computing system via the first communication means, load the computer executable instructions from the non-transitory storage medium to execute the computer executable instructions, gather security analysis data from the computing system, and send the security analysis data to a mobile device via the second communication means.
In a preferred embodiment, any or any combination of steps performed by the collecting device is either performed triggered by the mobile device or while reporting to the mobile device by sending data to it. Such advantage is not offered by US 9,654,496. It provides a user of said computing system with control over the collecting device and the actions performed by said collecting device. Such control is not provided by US 9,654,496, leading to problematic situations for instance in cases where the computing system is uncooperative and/or commandeered. In such cases, according to US 9,654,496, the user of the computing system must take control of the security device itself to gain control over the actions performed, which may be undesirable and/or infeasible. And even if the user would be allowed to take control over said security device, the security device being a single entity leads to the practical problem of having to be available and connected to the computing device throughout the entire operation of generating security analysis data. This contrasts with the present invention, wherein the security device is advantageously split up in a collecting device and a mobile device, wherein control-related functionality is implemented in the mobile device, whereas the actual functions required for performing the task at hand are implemented in the collecting device. In other words, the present invention provides the user of the computing device with a remote control over the actions performed by the security device, wherein the remote control is preferably implemented as an app running on the smartphone of the user. The non-obvious nature of this provision may be understood from the fact that US 9,654,496 neither points in the direction of providing the user of the computing device with control over the gathering of the security analysis data, nor discloses any hint with respect to any form of remote control of said security device. Another advantageous aspect of the invention is that, in a preferred embodiment, the gathering of security data is triggered entirely by the user, and is not triggered by external screening, as is the case in an admin-centric security approach. Particularly, US 9,654,496 does not disclose nor hint in the direction of performing actions upon request of the user. Another advantageous aspect of the invention relates to the fact that the security analysis data is not sent to some remote server to which, e.g., an admin has access, but rather is sent to the mobile device. This reflects the user-centric nature of the security analysis that is performed. Rather than having a security device analyzing security of a computing device, regardless of user needs, and reporting to the security device, the invention provides a solution wherein the user is "in the driving seat", deciding on whether or not a security analysis is needed, and moreover being the one who receives the result of such analysis. In some embodiments, this may concern privileged access to this information, wherein only the user may be aware of the result of the security analysis, or, more preferably, only the user is aware of the security analysis being performed. As such, the solution provided by the invention lowers the threshold for users to start a security analysis. This provides the user with a hassle-free solution, wherein a user unsure about the integrity of his computing device may assess the integrity independent of a third party, relieving him/her of any motivation as to why such check would be needed and/or, more importantly, allowing him/her to decide on further action by himself/herself when the security analysis reveals that his/her computing device may be compromised.
In a preferred embodiment, said step of loading of said computer executable instructions and said executing is triggered by a user-selected instruction from said mobile device via said second communication means, wherein preferably said user of said mobile device is also a user of said computing system. This provides the advantage of having both the start of the security analysis and the final reporting of the security analysis available at the mobile device. This leads to enhanced user-friendliness, with the mobile device as front end to the user, but also offers larger control for the user over the information flow, not having the computing system being scanned without the user knowing it, as is, e.g., the case in US 9,654,496. In a preferred embodiment, said collecting device is a dongle, wherein preferably a largest dimension of said collecting device is not larger than 150 mm, more preferably wherein an outer surface of said collecting device is contained entirely in a volume of dimensions 150 mm x 50 mm x 50 mm. Such a dongle is convenient, is easy to carry around together with the mobile device, and allows an easy fit for any computing system to be analyzed, also if the computing system is located in a narrow space. This leads to a usage of the collecting device fundamentally different from that of a device according to US 9,654,496, which does not allow the collecting device to be carried around by the user.
In a preferred embodiment, said security analysis data is not stored on either of said computing system and said collecting device; preferably not stored on any of said computing system, said collecting device, and said mobile device. Such an embodiment may or may not relate to fast scan mode. It advantageously provides for more control for the user, whereby the user may perform a diagnosis by himself without fearing leak of security data or other data via any of the computing system and the collecting device and/or the mobile device. This lowers the threshold for executing the security analysis, leading to an incentive for performing security checks more frequently, leading to overall increased security.
In another preferred embodiment, said computer executable instructions comprise a plurality of self-analysis instructions, said self-analysis instructions preferably being scripting language instructions, for execution by said step computing system for performing said security analysis as a self-analysis, and said step of gathering security analysis data from the computing system comprises, preferably consists of, the sub- steps of:
- transferring, by said collecting device, said plurality of self-analysis instructions to said computing system via said first communication means;
- letting said computing system execute said plurality of self-analysis instructions for performing said security analysis as said self-analysis, yielding said security analysis data being a self-analysis result;
- receiving, by said collecting device, said self-analysis result.
In such an embodiment, the computer executable instruction hence comprise both instructions for the collecting device to execute, on the one hand, and self-analysis instructions to be transferred to said computing system, on the other hand. The computer executable instructions may relate to establishing communication between the collecting device, preferably a dongle, and the computing system. Furthermore, the computer executable instructions may relate to opening a self-analysis-instruction- receptive application, preferably a security-related application and or diagnostic application and/or task automation framework and/or configuration management framework and/or command-line shell application on the computing system, such as PowerShell for Microsoft, Linux or OS X. Such a self-analysis-instruction-receptive application may then receive the plurality of self-analysis instructions from the collecting device and may perform the security analysis by executing these self-analysis instructions. The major advantage hereof is that the tasks performed by the collecting device are limited to mere handing over of instructions, rather than performing these tasks, which may be intrusive and may involve security-related information, which may trigger some security mechanism and/or threat detection mechanism present in the computing system and may block further activity of the collecting device. Hence, this embodiment advantageously provides means to avoid the computing system from being "alarmed" by the collecting device activity, by delegating the actual security analysis to the computing device in a transparent way, based on self-analysis instructions.
In a related preferred embodiment, said plurality of self-analysis instructions relates to human-interpretable instructions, preferably scripting language instructions and/or source code instructions, wherein said computing device comprises a display, and wherein said step of transferring said plurality of self-analysis instructions by said collecting device to said computing system comprises transferring a visualization-related instruction intended for said computing system for requiring said computing system to display at least one of said plurality of self-analysis instructions during and/or after said execution of said plurality of self-analysis instructions, preferably for requiring said computing system to display said plurality of self-analysis instructions as they are being executed by said computing system in real-time. This is advantageous in that it provides the user with visual feedback with respect to the activities involved in the security analysis. This may be helpful in convincing the user to execute a security analysis, mitigating his/her reasonable fear that his/her computing system may be compromised by some hidden process.
In a preferred embodiment, said first communication means relates to a HID-protocol- based communication wherein said computer system acts as host and wherein said collecting device emulates a HID device, said collecting device preferably emulating an HID keyboard or an HID joystick. Such an embodiment is advantageous because it allows a driverless connection to the computing system, i.e. a connection not requiring installing device-specific software on the computing system, but rather being able to interface immediately with the collecting device. This is so because most operating systems such as Windows, OS X and Linux are by default capable of communication with HID devices. Moreover, this embodiment is advantageous in that the choice of communication based on HID is particularly suitable for the aim of the present invention, since HID devices usually do not trigger the many security mechanisms present in typical computing systems. Hence, by choosing HID, it is prevented that a security mechanism of the computing system labels the collecting device as suspicious and/or blocks the security analysis.
In a related preferred embodiment, said first communication means relates to a HID- protocol-based communication wherein said computer system acts as host and wherein said collecting device emulates a HID device, said collecting device preferably emulating an HID keyboard or an HID joystick; wherein said transferring of said plurality of self- analysis instructions relates to transferring a sequence of HID instructions representing said plurality of self-analysis instructions from said collecting device to said computing system, and wherein said receiving of said self-analysis by said collecting device relates to receiving one or more HID instructions representing said self-analysis. In such an embodiment, from the point of view of the computing system, the collecting device may be equivalent to a "virtual security expert" that is "typing" the instruction into the computing system. Hereby, feedback from the computing system to the collecting device is equally supported, even in the case of an HID keyboard, where such feedback may be encoded e.g. by modulating the "caps lock on" (and/or "shift lock on") signal as a variation of zeros and ones over time. Such an embodiment advantageously combines the advantages of emulating an HID device and letting the security analysis be carried out as a process running on the computing system rather than on the collecting device, both mitigating the chances of the computing system labeling the collecting device as suspicious and/or blocking the security analysis.
In a related further preferred embodiment, the first communication means complies with any or any combination of the following : USB HID, Bluetooth HID, Serial HID remote control receiver, ZigBee HID, HID over I2C, HID over GATT.
In several embodiments, the collecting device may comprise a processor, e.g. a cisc processor, a rise processor, microprocessor or microcontroller.
In a preferred embodiment, the collecting device is further configured to:
- preferably, upon establishing communication with the computing system via the first communication means, determine a hardware and operating system specification of the computing system, and send the determined hardware and operating system specification to the mobile device via the second communication means;
- upon establishing communication with the mobile device over the second communication means, let the mobile device download updated computer executable instructions from a remote server preferably taking into account said determined hardware and operating system specification, said downloading preferably via a further communication means different from said first and said second communication means,
- receive said updated computer executable instructions from the mobile device via the second communication means, and
- store the updated computer executable instructions on the non-transitory storage medium.
This is advantageous in that it allows to perform the security analysis based on up-to- date information. Hereby, the communication means needed to connect with the remote server are not sought in the computing system, which would be inappropriate particularly in cases where the system might be compromised and hence preferably is not connected to any network or any device other than said collecting device. Rather, these communication means are provided by the mobile device. In an embodiment wherein the hardware and operating system specification is determined in a first step, this furthermore leads to performing the security analysis according to a computer executable instructions that are tailored to the given computing system, which may contribute to a more reliable security analysis.
In a preferred embodiment, the first communication means is a wired communication means able to provide power to the collecting device upon establishing communication with the computing system. In an even more preferred embodiment, the first communication means is a Universal Serial Bus (USB) connector. This USB connector can be of any USB standard and of any USB format.
In a preferred embodiment, the second communication means is a wireless communication means. This is advantageous when the collecting device is attached to the computing device at a location which is difficult to reach. In an even more preferred embodiment, the second communication means is a Bluetooth communications module.
In a second aspect, the present invention provides a mobile device program product for a security analysis of a computing system. The mobile device program product comprises a plurality of mobile device executable instructions for execution on a mobile device. The mobile device comprises a processor for executing the mobile device executable instructions, a display, a user input device to select an option presented on the display, and a third communication means suitable for communicating with the second communication means of the collecting device according to the first aspect of the present invention. The mobile device program product comprises instructions to receive security analysis data from the collecting device via the third communication means, process the received security analysis data resulting in a first diagnosis, and present information related to the first diagnosis on the display of the mobile device.
In a preferred embodiment, the third communications means of the mobile device is a wireless communication means. In an even more preferred embodiment, the third communication means is a Bluetooth communications module.
In a third aspect, the present invention provides a method for a security analysis of a computing system. The method requires a collecting device and a mobile device. The method comprises the steps of: - enabling communication between the collecting device and the computing system,
- gathering security analysis data about the computing system on the collecting device,
- enabling communication between the collecting device and the mobile device,
- transmitting the security analysis data from the collecting device to the mobile device,
- processing the security analysis data on the mobile device resulting in a first diagnosis, and
- presenting information related to the first diagnosis on the mobile device.
The security analysis data is an intermediate form of data composed of any information which can be retrieved on the computing system. The security analysis data is then subsequently processed to the first diagnosis. One of ordinary skill in the art will appreciate that the security analysis data may be any data in the spectrum between the information which can be directly retrieved on the computing system and the first diagnosis. The security analysis data may therefore comprise one or more of the following list:
- any raw data directly retrievable on the computing system,
- the first diagnosis, and
- a processed form of intermediary data, derived from information which can be retrieved on the computing system, and which requires further processing to obtain the first diagnosis.
In a preferred embodiment, the collecting device comprises a full scan operation mode and a fast scan operation mode. In the full scan operation mode, the security analysis data comprises raw data retrievable on the computing system and/or a processed form of intermediary data. In the fast scan operation mode, the security analysis data comprises the first diagnosis.
The present invention is advantageous for several reasons. The collecting device comprises computer executable instructions for generating security analysis data about the computing system and also gathers this data. During this operation, the mobile device does not need to be present near the collecting device or computing system. During this operation, the mobile device should also not be in communication with the collecting device. Resources of the mobile device such as processor time or memory are not used during this operation. The mobile device can be carried away to another location and can, without restriction of the mentioned resources, be used for other functionalities such as searching for information on the internet or making a phone call, for example. Only when the gathered data is transmitted from the collecting device to the mobile device for processing, the mobile device should be in communication with the collecting device to enable the transmission. Subsequently, during processing of the security analysis data resulting in the first diagnosis, the mobile device can again be distanced from the collecting device or computing system.
Collecting devices according to preferred embodiments of the first aspect of the present invention, which comprise a USB connector and a Bluetooth communications module, are known in the art as dongles. In what follows, we refer to the collecting device as a dongle, the first communication means as a USB connector, the second communication means as a Bluetooth communication module, and the third communication means as a Bluetooth communication module. However, it should be noted that these terms are only used to indicate a preferred embodiment of the present invention, and should not be interpreted as limiting. In what follows, a dongle may refer to any collecting device according to the first aspect of the present invention, USB connector and/or USB port may refer to any communication means suitable for communication between the computing system and the collecting device, and Bluetooth communication module may refer to any communication means suitable for communication between the collecting device and the mobile device.
Figure 1 shows a schematic overview of the devices (1, 3, 4, 5) and wireless communication channels (7, 8, 9, 10) which can be used in a preferred embodiment of the present invention. A security analysis of a computing system (1) comprising one or more USB ports (2) is desired. To this end, a dongle (3) is provided. The dongle (3) comprises a USB connector for connection (6) in a USB port (2) of the computing system (1). Upon connection, the dongle (3) receives power from the computing system (1). The dongle (3) further comprises a Bluetooth communications module for communicating (7, 8) with a mobile device (4). The dongle (3) also comprises a non- transitory storage medium comprising computer executable instructions for generating security analysis data about the computing system (1). After loading and executing the computer executable instructions, the security analysis data is gathered on the dongle (3) and transmitted (8) to the mobile device (4) via the Bluetooth communications module of the dongle (3).
The mobile device (4) may comprise a non-transitory storage medium for storing a mobile device program product. The mobile device program product comprises a plurality of mobile device executable instructions. The mobile device (4) further comprises a processor suitable for executing the mobile device executable instructions, a display, a user input device to select an option presented on the display, and a Bluetooth communications module. The mobile device program product comprises instructions to receive (8) the security analysis data from the dongle (3) via the Bluetooth communications module of the mobile device (4), process the received security analysis data resulting in a first diagnosis, and present information related to the first diagnosis on the display of the mobile device (4).
The dongle (3) comprises computer executable instructions for generating security analysis data about the computing system (1) and also gathers this data. During this operation, the mobile device (4) does not need to be present near the dongle (3) or the computing system (1). During this operation, the mobile device (4) should also not be in communication (7, 8) with the dongle. Resources of the mobile device (4) such as processor capability or memory are not used during this operation. The mobile device (4) can be carried away to another location and can, without restriction of the mentioned resources, be used for other functionalities such as searching for information on the internet or making a phone call, for example. Only when the gathered security analysis data is transmitted (8) from the dongle (3) to the mobile device (4) for processing, the mobile device (4) should be present near the dongle (3) to enable the transmission. Subsequently, during processing of the security analysis data resulting in the first diagnosis, the mobile device (4) can again be distanced from the dongle (3) or the computing system (1). In an embodiment of the present invention, the mobile device program product further comprises mobile device executable instructions for presenting a starting option on the display of the mobile device (4). Upon selection of the starting option with the user input device of the mobile device (4), a starting signal is transmitted (7) from the mobile device (4) to the dongle (3). The reception of the starting signal with the Bluetooth communication module of the dongle (3) then triggers the loading of computer executable instructions from the non-transitory storage medium of the dongle (3) and their execution for obtaining the security analysis data.
In a preferred embodiment of the present invention, the dongle (3) further comprises a processor, and the computer executable instructions are executed on the processor of the dongle (3) in order to emulate one or more user input devices for obtaining the desired security analysis data. In an alternative embodiment of the present invention, the computing system (1) comprises a processor and the computer executable instructions are loaded from the non-transitory storage medium of the dongle (3) and executed by the processor of the computing system (1). In yet another embodiment of the present invention, the dongle (3) comprises a first processor and the computing system (1) comprises a second processor, and a part of the computer executable instructions are executed by the first processor and a part of the computer executable instructions are executed by the second processor.
In a preferred embodiment of the present invention, the mobile device (4) further comprises a Wi-Fi module and/or a wireless mobile telecommunications technology module suitable for communicating (9, 10) with a remote server (5). Furthermore, the mobile device program product comprises in this embodiment instructions to send (9) the security analysis data from the mobile device (4) to the remote server (5). On the remote server (5), the security analysis data is then processed resulting in a second diagnosis. Subsequently, the second diagnosis is sent (10) from the remote server (5) to the mobile device (4). The mobile device program product comprises instructions to receive the second diagnosis. It also comprises instructions to present information related to the second diagnosis on the display of the mobile device (4) upon reception.
If the processing of the security analysis data is rather involved and requires a large amount of processing time, preferably relating to a full scan mode, it can be advantageous to perform this processing on a better suited device such as a remote server (5). This remote server (5) can, for example, also comprise a database comprising a large amount of information for performing a more detailed security analysis, the large amount of information for performing a more detailed security analysis not suitable for storage on the non-transitory storage medium of the mobile device (4).
In a preferred embodiment of the present invention, the mobile device program product further comprises instructions for selecting one or more redress options from a redress option list based on the first and/or second diagnosis. The redress option list may include an update option for performing a software update on the computing system. The redress option list may also include a second opinion option if only a first diagnosis has been formed. The redress option list may further include a transmission option for sending redress information related to the security analysis data, which may fully or partially comprise the security analysis data, to a third-party service. The third-party service may be able to provide a human interpretation of the redress information. The third-party service may also be able to provide a third diagnosis based on a computer- implemented method for processing the redress information. The redress option list may further include a contact option for contacting a specialist service. The contact may be established via telephone. The contact may also be established by autofill and submission of an online form of the specialist service by the mobile device program product. Based on the first and/or second diagnosis, a stop option may also be presented, for example if no security breach of the computing system was detected. The mobile device program product may also comprise instructions to present the selected redress options on the display of the mobile device (4) as well as instructions to trigger a presented redress option upon selection of the presented option with the user input device of the mobile device (4). Most often, users requiring a security analysis of their computing system are not only unaware of possible threats, but also of means of redress to fix these possible threats. It may therefore be advantageous to suggest means of redress to the user when a threat is detected. This may save time and costs for the user to obtain a suitable means of redress. In a preferred embodiment, the dongle (3) is configured to store the gathered security analysis data on its non-transitory storage medium, to fully or partially load the security analysis data upon reception of a transmission request from the mobile device (4), and to send the loaded full or partial security analysis data to the mobile device (4).
This is advantageous as it can enable performing the security analysis during multiple separate executions of the computer executable instructions. It is further advantageous because the security analysis data will also be available after, for example, an unexpected power cut, or when the mobile device has been distanced from the dongle (3) or the computing system (1) for a prolonged period and the computing system was rebooted. It can also be advantageous to enable sending several pieces of partial security analysis data at distinct times, for example upon request of a specific piece by the mobile device program product on the mobile device (4). This request can be triggered by the mobile device program product itself, or by the remote server (5), for example in generating the second diagnosis. Sending only the relevant pieces of the security analysis data may result in less transmitted data overall, limiting costs and time to obtain the first and/or second diagnosis.
In a preferred embodiment, the dongle (3) is able to determine a hardware and operating system specification of the computing system (1), and to send (8) the determined hardware and operating system specification to the mobile device (4). The determined hardware and operating system specification can be part of the security analysis data. It can also be transmitted separately from the security analysis data.
This is advantageous because a hardware and operating system specification may include important information for performing a security analysis. It may also be important to assess whether the non-transitory storage medium of the dongle (3) comprises computer executable instructions suitable for the computing system (1) under investigation. It may also be important to suggest and provide adequate software updates for the computing system via the redress options.
In a preferred embodiment of the present invention, the dongle (3) may be able to receive updated computer executable instructions from the mobile device (4) and to store the updated computer executable instructions on the non-transitory storage medium. The mobile device program product then comprises instructions to send (7) the updated computer executable instructions from the mobile device (4) to the dongle (3) via their respective Bluetooth communication modules. The mobile device program product may further include instructions to download the updated computer executable instructions from a second remote server. The mobile device program product may also obtain (10) the updated computer executable instructions from the remote server (5) suitable for generating the second diagnosis.
This is advantageous, because it allows an update of the computer executable instructions on the dongle (3). This may be required if the instructions are outdated. This may also be required if the old computer executable instructions are not suitable for a hardware and/or operating system specification of the computing system (1) under investigation. This may further be required if during processing of the security analysis data on the remote server (5) further analysis is desired and the old computer executable instructions do not comprise the required instructions for the further analysis.
In a further aspect, which is not intended to limit the invention in any way, the invention relates to following points 1-15.
1. Collecting device for a security analysis of a computing system, the collecting device comprising :
- a first communication means suitable for communicating with the computing system,
- a second communication means, which may be equal to or distinct from the first communication means, suitable for communicating with a mobile device,
- a non-transitory storage medium comprising computer executable instructions for generating security analysis data,
whereby the collecting device is configured to, upon establishing communication with the computing system via the first communication means:
- load the computer executable instructions from the non-transitory storage medium to execute the computer executable instructions,
- gather security analysis data from the computing system, and - send the security analysis data to the mobile device via the second communication means. Collecting device according to point 1, whereby the first communication means is a Universal Serial Bus connector and whereby the second communication means is a Bluetooth communications module. Collecting device according to any one of points 1 and 2, whereby the collecting device comprises a processor and whereby the collecting device is configured to emulate one or more user input devices for gathering said security analysis data. Collecting device for a security analysis of a computing system according to any one of points 1 to 3, whereby the collecting device is further configured to, upon establishing communication with the computing system via the first communication means:
- store the gathered security analysis data on the non-transitory storage medium,
- receive a transmission request from the mobile device via the second communication means,
- fully or partially load the stored security analysis data from the non- transitory storage medium, and
- send the loaded full or partial security analysis data to the mobile device via the second communication means. Collecting device for a security analysis of a computing system according to any one of points 1 to 4, whereby the collecting device is further configured to, upon establishing communication with the computing system via the first communication means:
- determine a hardware and operating system specification of the computing system, and
- send the determined hardware and operating system specification to the mobile device via the second communication means. Collecting device for a security analysis of a computing system according to any one of points 1 to 5, whereby the collecting device is further configured to, upon establishing communication with the computing system via the first communication means:
- receive updated computer executable instructions from the mobile device via the second communication means, and - store the updated computer executable instructions on the non-transitory storage medium. Mobile device program product for a security analysis of a computing system, the mobile device program product comprising a plurality of mobile device executable instructions for execution on a mobile device, the mobile device comprising a processor for executing the mobile device executable instructions, a display, a user input device to select an option presented on the display, and a third communication means suitable for communicating with the second communication means of a collecting device according to any one of points 1 to 6, whereby the mobile device program product comprises instructions to:
- receive security analysis data from the collecting device via the third communication means,
- process the received security analysis data resulting in a first diagnosis, and
- present information related to the first diagnosis on the display of the mobile device. Mobile device program product for a security analysis of a computing system according to point 7, the mobile device further comprising a fourth communication means, preferably a Wi-Fi module and/or wireless mobile telecommunications technology module, the fourth communication means suitable for communicating with a remote server, the mobile device program product comprising instructions to:
- send the security analysis data from the mobile device to the remote server, the remote server processing the security analysis data resulting in a second diagnosis,
- receive the second diagnosis from the remote server, and
- present information related to the second diagnosis on the display of the mobile device. Mobile device program product for a security analysis of a computing system according to any one of points 7 and 8, the mobile device program product comprising instructions to:
- select one or more redress options from a redress option list based on one or more of the diagnoses,
- present the selected redress options on the display of the mobile device, - if the redress option list comprises a transmission option for transmitting redress information related to the security analysis data to a third-party service, transmit the redress information to the third-party service, and
- if the redress option list comprises a contact option for contacting a specialist service, contact the specialist service. Mobile device program product for a security analysis of a computing system according to any one of points 7 to 9, the mobile device program product comprising instructions to send updated computer executable instructions intended for the collecting device to the collecting device via the third communication means. Method for a security analysis of a computing system, the method comprising the steps of:
- enabling communication between a first device and the computing system,
- gathering security analysis data about the computing system on the first device,
- enabling communication between the first device and a second device,
- transmitting the security analysis data from the first device to the second device,
- processing the security analysis data on the second device resulting in a first diagnosis, and
- presenting information related to the first diagnosis on the second device. Method for a security analysis of a computing system according to point 11, the method comprising the steps of:
- enabling communication between the second device and a second system,
- sending the security analysis data from the second device to the second system,
- processing the security analysis data on the second system resulting in a second diagnosis,
- sending the second diagnosis from the second system to the second device, and
- presenting information related to the second diagnosis on the second device. Method for a security analysis of a computing system according to any one of points 11 and 12, the method comprising the steps of: presenting one or more selectable redress options based on one or more of the diagnoses on the second device,
if the one or more selectable redress options comprise a transmission option for transmitting redress information related to the security analysis data to a third-party service, transmitting the redress information to the third-party service upon selection of the transmission option, and if the one or more selectable redress options comprise a contact option for contacting a specialist service, contacting the specialist service upon selection of the contact option.
14. Method for a security analysis of a computing system according to any one of points 11 to 13, the method comprising the steps of:
- gathering a hardware and operating system specification of the computing system on the first device, and
- sending the gathered hardware and operating system specification from the first device to the second device.
15. Method for a security analysis of a computing system according to any one of points 11 to 14, the method comprising the steps of:
- sending instructions for gathering security analysis data about the computing system from the second device to the first device.
The invention is further described by the following non-limiting examples which further illustrate the invention, and are not intended to, nor should they be interpreted to, limit the scope of the invention.
EXAMPLES
Example 1 A user of a computer suspects a security breach. He requests a dongle according to the present invention from a service company, and downloads the associated application, i.e. the associated mobile device program product according to the present invention, on his smartphone. Figure 2 shows a block diagram of the steps for performing a security analysis of the computer. The user inserts the USB connector of the dongle in a USB port of his computer, the user computing system (201). The dongle receives power from the user computing system and its Bluetooth communications module can then be made visible to other devices. The user opens the application and searches for a dongle associated to the application. The dongle is found and the user establishes communication between his smartphone and the dongle (202). The user further selects the start option for a full scan on the touchscreen of his smartphone which triggers the sending of a start signal from the mobile device to the dongle (203). The computer executable instructions are loaded from the non-transitory storage medium of the dongle, executed on the processor of the dongle which emulates one or more user input devices in order to retrieve the desired security analysis data, and the security analysis data is stored on the non-transitory storage medium of the dongle (204). During step (204), the user gets out of his office to make a phone call with his smartphone. A while later, the user returns to the computing system, detects the dongle, and selects the option to transmit the security analysis data from the dongle to the mobile device (205). The security analysis data is processed by the application resulting in a first diagnosis regarding security breaches (206). Information related to the first diagnosis is presented on the touchscreen of the smartphone (207). This information indicates that a security breach is likely. A second diagnosis is proposed (208). The user selects the corresponding option on the touchscreen of his smartphone, and the mobile device establishes communication with an analysis computing system (209), i.e. the remote server (5), via Wi-Fi. The security analysis data is sent from the smartphone to the analysis computing system (210), where it is processed resulting in a second diagnosis (211). This second diagnosis is sent to the mobile device (212) and presented on the touchscreen of the smartphone (207). A security breach has been detected. The application presents an option to call a specialist (208). The user selects this option, a telephone call to the specialist is triggered (213), and the user makes an appointment to get his computing system fixed.
Example 2 A dongle (collecting device), such as, for example, the one described in the first example, may be configured for working in a full scan operation mode or a fast scan operation mode. The application (mobile device program product) may then comprise instructions for presenting on the screen of the mobile device information for selecting one of the two operation modes. The full scan operation mode may require the reception of a key from the provider of the dongle and/or the acceptance by the user of an agreement and/or the payment of a fee by the user to the provider of the dongle.
In the fast scan operation mode, the security analysis data comprises the first diagnosis. The first diagnosis preferably comprises a threat level indication. This may be a discrete threat level indication such as 'yes', 'maybe', or 'no' or a continuous threat level indication such as a percentage value. Preferably, no security analysis data is stored on the dongle in the fast scan operation mode. Preferably, said threat level indication is the security analysis data which is communicated from the dongle to the mobile device.
An example of an embodiment of a full scan operation mode may be found in the block diagram shown in Figure 2 and described in the abovementioned first example. Example 3
A dongle (collecting device), such as, for example, the one described in the first and second example, may be configured for working in a fast scan operation mode. The dongle is connected to the computing system by means of a USB connector. The dongle is powered by the computing system and emulates an HID keyboard. The dongle is recognized by the computing system and is directly operable, without the need to install drivers, because the operating system present on the computing system supports HID keyboards by default. The user uses a security analysis application on his/her smartphone to connect to the dongle via Bluetooth. The user instructs to start the security analysis. This leads to a signal being sent to the dongle, causing the dongle to initiate the gathering of security analysis data. In a first step, the dongle sends an instruction to the computing system to open a PowerShell. This opens a PowerShell window on the computing system, which is visible for the user. In a next step, the dongle sends self-analysis instructions to the computing device via the HID interface in the form of keystrokes, which are executed one by one by the computing system while being visible for the user in the PowerShell. The execution of all self-analysis instructions leads a security variable on the computing system to be set to 0, indicating that no security problem is detected. This value is transferred via the HID interface to the dongle as a modulation of the "caps lock on" field (and/or "shift lock on" field). Once received by the dongle, the dongle sends the security variable value of zero to the smartphone via Bluetooth. An indication that no security problem is detected is displayed on the screen of the smartphone.

Claims

Claims
Collecting device for a security analysis of a computing system, the collecting device comprising :
- a first communication means suitable for communicating with the computing system,
- a second communication means suitable for communicating with a further device,
- a non-transitory storage medium comprising computer executable instructions for generating security analysis data,
whereby the collecting device is configured to, upon establishing communication with the computing system via the first communication means:
- load the computer executable instructions from the non-transitory storage medium to execute the computer executable instructions,
- gather security analysis data from the computing system, and
- send the security analysis data to the further device; characterized in that said further device is a mobile device, and in that said sending of the security analysis data is performed via said second communication means being different from said first communication means.
Collecting device according to claim 1, characterized in that said step of loading of said computer executable instructions and said executing is triggered by a user-selected instruction from said mobile device via said second communication means, wherein preferably said user of said mobile device is also a user of said computing system.
Collecting device according to claims 1-2, characterized in that said collecting device is a dongle, wherein preferably a largest dimension of said collecting device is not larger than 150 mm, more preferably wherein an outer surface of said collecting device is contained entirely in a volume of dimensions 150 mm x 50 mm x 50 mm.
Collecting device according to claims 1-3; characterized in that said security analysis data is not stored on either of said computing system and said collecting device; preferably not stored on any of said computing system, said collecting device, and said mobile device.
Collecting device according to claims 1-4, characterized in that said computer executable instructions comprise a plurality of self-analysis instructions, said self-analysis instructions preferably being scripting language instructions, for execution by said step computing system for performing said security analysis as a self-analysis, and in that said step of gathering security analysis data from the computing system comprises, preferably consists of, the sub-steps of:
- transferring, by said collecting device, said plurality of self-analysis instructions to said computing system via said first communication means;
- letting said computing system execute said plurality of self-analysis instructions for performing said security analysis as said self-analysis, yielding said security analysis data being a self-analysis result; - receiving, by said collecting device, said self-analysis result.
6. Collecting device according to claim 5, characterized in that said plurality of self-analysis instructions relates to human-interpretable instructions, preferably scripting language instructions and/or source code instructions, in that said computing device comprises a display, and in that said step of transferring said plurality of self-analysis instructions by said collecting device to said computing system comprises transferring a visualization-related instruction intended for said computing system for requiring said computing system to display at least one of said plurality of self-analysis instructions during and/or after said execution of said plurality of self-analysis instructions, preferably for requiring said computing system to display said plurality of self-analysis instructions as they are being executed by said computing system in real-time.
7. Collecting device according to claims 1-6, characterized in that said first communication means relates to a HID-protocol-based communication wherein said computer system acts as host and wherein said collecting device emulates a HID device, said collecting device preferably emulating an HID keyboard or an
HID joystick.
8. Collecting device according to claim 5-6, characterized in that said first communication means relates to a HID-protocol-based communication wherein said computer system acts as host and wherein said collecting device emulates a HID device, said collecting device preferably emulating an HID keyboard or an
HID joystick; in that said transferring of said plurality of self-analysis instructions relates to transferring a sequence of HID instructions representing said plurality of self-analysis instructions from said collecting device to said computing system, and in that said receiving of said self-analysis by said collecting device relates to receiving one or more HID instructions representing said self-analysis.
9. Collecting device according to claims 7-8, characterized in that the first communication means complies with any or any combination of the following : USB HID, Bluetooth HID, Serial HID remote control receiver, ZigBee HID, HID over I2C, HID over GATT.
10. Collecting device according to claims 1-9, characterized in that the first communication means is a Universal Serial Bus connector and/or whereby the second communication means is a Bluetooth communications module.
11. Collecting device according to claims 1-10, characterized in that the collecting device comprises a processor and whereby the collecting device is configured to emulate one or more user input devices for gathering said security analysis data.
12. Collecting device for a security analysis of a computing system according to claims 1-11, characterized in that the collecting device is further configured to, upon establishing communication with the computing system via the first communication means:
- determine a hardware and operating system specification of the computing system, and
- send the determined hardware and operating system specification to the mobile device via the second communication means.
13. Collecting device for a security analysis of a computing system according to claims 1-12, characterized in that the collecting device is further configured to, upon establishing communication with the computing system via the first communication means:
- store the gathered security analysis data on the non-transitory storage medium,
- receive a transmission request from the mobile device via the second communication means,
- fully or partially load the stored security analysis data from the non- transitory storage medium, and
- send the loaded full or partial security analysis data to the mobile device via the second communication means.
14. Collecting device for a security analysis of a computing system according to claims 1-13, characterized in that the collecting device is further configured to, upon establishing communication with the computing system via the first communication means: - receive updated computer executable instructions from the mobile device via the second communication means, and
- store the updated computer executable instructions on the non-transitory storage medium.
15. Collecting device for a security analysis of a computing system according to claims 1-14, characterized in that the collecting device is further configured to:
- preferably, upon establishing communication with the computing system via the first communication means, determine a hardware and operating system specification of the computing system, and send the determined hardware and operating system specification to the mobile device via the second communication means;
- upon establishing communication with the mobile device over the second communication means, let the mobile device download updated computer executable instructions from a remote server preferably taking into account said determined hardware and operating system specification, said downloading preferably via a further communication means different from said first and said second communication means,
- receive said updated computer executable instructions from the mobile device via the second communication means, and
- store the updated computer executable instructions on the non-transitory storage medium.
16. Collecting device according to claims 5-15, characterized in that said collecting device is configured by a user of said mobile device and/or pre-configured for operating in a fast scan mode, wherein said operating in fast scan mode results in said self-analysis result not being stored on said collecting device for avoiding propagation of said self-analysis result via said collecting device, preferably wherein a memory state of said non-transitory storage medium remains unaltered throughout the execution of any or any combination of the steps of:
- said loading of said computer executable instructions,
- said gathering of said security analysis data, and
- said sending of said security analysis data.
17. Mobile device program product for a security analysis of a computing system, the mobile device program product comprising a plurality of mobile device executable instructions for execution on a mobile device, the mobile device comprising a processor for executing the mobile device executable instructions, a display, a user input device to select an option presented on the display, and a third communication means suitable for communicating with the second communication means of a collecting device according to any one of claims 1- 16, whereby the mobile device program product comprises instructions to: - receive security analysis data from the collecting device via the third communication means,
- process the received security analysis data resulting in a first diagnosis, and
- present information related to the first diagnosis on the display of the mobile device.
18. Mobile device program product for a security analysis of a computing system according to claim 16, the mobile device further comprising a fourth communication means, preferably a Wi-Fi module and/or wireless mobile telecommunications technology module, the fourth communication means suitable for communicating with a remote server, the mobile device program product comprising instructions to:
- send the security analysis data from the mobile device to the remote server, the remote server processing the security analysis data resulting in a second diagnosis,
- receive the second diagnosis from the remote server, and
- present information related to the second diagnosis on the display of the mobile device.
19. Mobile device program product for a security analysis of a computing system according to claims 17-18, the mobile device program product comprising instructions to:
- select one or more redress options from a redress option list based on one or more of the diagnoses,
- present the selected redress options on the display of the mobile device,
- if the redress option list comprises a transmission option for transmitting redress information related to the security analysis data to a third-party service, transmit the redress information to the third-party service, and
- if the redress option list comprises a contact option for contacting a specialist service, contact the specialist service.
20. Mobile device program product for a security analysis of a computing system according to claims 17-19, the mobile device program product comprising instructions to send updated computer executable instructions intended for the collecting device to the collecting device via the third communication means.
21. Method for a security analysis of a computing system, the method comprising the steps of:
- providing a collecting device and a further device, said collecting device comprising
o a non-transitory storage medium,
o a first communication means, and
o a second communication means,
- enabling communication between the collecting device and the computing system via said first communication means,
- enabling communication between the collecting device and the further device via said second communication means,
- preferably, letting said collecting device determine a hardware and operating system specification of the computing system;
- preferably, sending said hardware and operating specification from said collecting device to said further device via said second communication means and receiving, via said second communication means, updated computer executable instructions by said collecting device from said further device,
- loading computer executable instructions, preferably said computer executable instructions being said updated computer executable instructions, from said non-transitory storage medium,
- executing the computer executable instructions for gathering security analysis data about the computing system on the collecting device,
- transmitting the security analysis data from the collecting device to the further device,
- preferably, letting the further device process the security analysis data resulting in a first diagnosis, and
- preferably, letting the further device present information related to the first diagnosis, characterized in that said further device is a mobile device, and in that said sending of the security analysis data is performed via said second communication being different from said first communication means.
22. Method according to claim 21, characterized in that the method comprises the further steps of: - letting the mobile device process the security analysis data resulting in a first diagnosis, and
- letting the mobile device present information related to the first diagnosis, said information relating to one or more user-selectable action relating to a second diagnosis,
- receiving a selection of a user relating to said one or more user-selectable actions,
- based upon said selection, enabling communication between the mobile device and a second system corresponding to said selection, - sending the security analysis data from the mobile device to the second system,
- processing the security analysis data on the second system resulting in a second diagnosis,
- sending the second diagnosis from the second system to the mobile device, and
- letting said mobile device present information related to the second diagnosis.
23. Method according to claims 21-22, characterized in that the method comprises the further steps of:
- presenting one or more selectable redress options based on one or more of the diagnoses on the mobile device,
- if the one or more selectable redress options comprise a transmission option for transmitting redress information related to the security analysis data to a third-party service, transmitting the redress information to the third-party service upon selection of the transmission option, and
- if the one or more selectable redress options comprise a contact option for contacting a specialist service, contacting the specialist service upon selection of the contact option.
24. Method according to claims 21-23, characterized in that said computer executable instructions comprise a plurality of self-analysis instructions, said self-analysis instructions preferably being scripting language instructions, for execution by said step computing system for performing said security analysis as a self-analysis, and in that said step of gathering security analysis data from the computing system comprises, preferably consists of, the sub-steps of: - transferring, by said collecting device, said plurality of self-analysis instructions to said computing system via said first communication means;
- letting said computing system execute said plurality of self-analysis instructions for performing said security analysis as said self-analysis, yielding said security analysis data being a self-analysis result;
- receiving, by said collecting device, said self-analysis result.
25. Use of the method according to claims 21-24 in the collecting device according to claims 1-16.
PCT/EP2018/064940 2017-06-06 2018-06-06 Collecting device, mobile device program product, and method for a security analysis of a computing system WO2018224571A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP17174591.2A EP3413228A1 (en) 2017-06-06 2017-06-06 Collecting device, mobile device program product, and method for a security analysis of a computing system
EP17174591.2 2017-06-06

Publications (1)

Publication Number Publication Date
WO2018224571A1 true WO2018224571A1 (en) 2018-12-13

Family

ID=59054996

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/064940 WO2018224571A1 (en) 2017-06-06 2018-06-06 Collecting device, mobile device program product, and method for a security analysis of a computing system

Country Status (3)

Country Link
EP (1) EP3413228A1 (en)
BE (1) BE1025948B1 (en)
WO (1) WO2018224571A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120324067A1 (en) 2011-06-17 2012-12-20 Adiseshu Hari Method and apparatus for remote delivery of managed usb services via a mobile computing device
US20120324577A1 (en) * 2011-06-14 2012-12-20 Honeywell International Inc. Detecting malicious software on a computing device with a mobile device
US20140115487A1 (en) 2012-10-24 2014-04-24 Beta Brain, Inc. Remotely accessing a computer system
US8793795B1 (en) 2005-01-28 2014-07-29 Intelligent Computer Solutions, Inc. Computer forensic tool
US9654496B1 (en) 2015-03-31 2017-05-16 Juniper Networks, Inc. Obtaining suspect objects based on detecting suspicious activity

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8793795B1 (en) 2005-01-28 2014-07-29 Intelligent Computer Solutions, Inc. Computer forensic tool
US20120324577A1 (en) * 2011-06-14 2012-12-20 Honeywell International Inc. Detecting malicious software on a computing device with a mobile device
US20120324067A1 (en) 2011-06-17 2012-12-20 Adiseshu Hari Method and apparatus for remote delivery of managed usb services via a mobile computing device
US20140115487A1 (en) 2012-10-24 2014-04-24 Beta Brain, Inc. Remotely accessing a computer system
US9654496B1 (en) 2015-03-31 2017-05-16 Juniper Networks, Inc. Obtaining suspect objects based on detecting suspicious activity

Also Published As

Publication number Publication date
EP3413228A1 (en) 2018-12-12
BE1025948B1 (en) 2019-08-20
BE1025948A1 (en) 2019-08-14

Similar Documents

Publication Publication Date Title
CN108476060B (en) Method for establishing classic Bluetooth connection between dual-mode Bluetooth devices and dual-mode Bluetooth device
EP2419843B1 (en) Method and apparatus for authentication of a remote session
EP3413634A1 (en) Device access controlling method, and related device and system
US9998586B2 (en) Method, device and storage medium for setting position of function setting key of mobile terminal
US10880734B2 (en) Method for pairing Bluetooth device with mobile device and apparatus thereof
KR101516903B1 (en) Transferring web data between operating system environments
JP2020505676A (en) Application display method and related products
US8726365B2 (en) Multi mode operation using user interface lock
EP2241973A2 (en) Electronic apparatus, virtual machine providing apparatus, and method of using virtual machine service
CN108235767B (en) Payment application isolation method and device and terminal
US10474507B2 (en) Terminal application process management method and apparatus
EP2678781B1 (en) Apparatus and method for unlocking a device remotely from a server
CN108881103B (en) Network access method and device
CN107040965B (en) Flow control method and device and mobile terminal
WO2018127000A1 (en) Reference signal indication method, network device and terminal device
CN108475304B (en) Method and device for associating application program and biological characteristics and mobile terminal
CN110869907A (en) Method and terminal for browsing application page
TWI463364B (en) System and method for touch device with external input function
US20110202689A1 (en) Assignment of control of peripherals of a computing device
US20150020018A1 (en) Method, Apparatus, Terminal And Storage Medium For Inputting Information
CN105320616A (en) External device control method and device
CN108984265B (en) Method and device for detecting virtual machine environment
US20150128129A1 (en) Method and device for installing application
US20190149648A1 (en) Communication System Selection
CN109145598B (en) Virus detection method and device for script file, terminal and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18727849

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18727849

Country of ref document: EP

Kind code of ref document: A1